* Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387 [not found] <AM9PR07MB71854BD4C1CE7E517203FFB6B1DF2@AM9PR07MB7185.eurprd07.prod.outlook.com> @ 2024-07-10 11:26 ` Johannes Schindelin 2024-07-10 17:10 ` Junio C Hamano 0 siblings, 1 reply; 5+ messages in thread From: Johannes Schindelin @ 2024-07-10 11:26 UTC (permalink / raw) To: Schoonderwaldt, Michel; +Cc: git@vger.kernel.org, git-security@googlegroups.com Hi Michel, On Fri, 5 Jul 2024, 'Schoonderwaldt, Michel' via Git Security wrote: > I am writing to bring to your attention a critical issue regarding the > version of OpenSSH included in the Git for Windows package. Recently, a > severe vulnerability (CVE-2024-6387) was disclosed, affecting versions > of OpenSSH from 8.5p1 up to and including 9.7p1. This vulnerability is a > regression of the earlier CVE-2006-5051, which was initially resolved in > OpenSSH version 4.4p1 but reintroduced in 8.5p1. This description, while correct, is incomplete. https://nvd.nist.gov/vuln/detail/CVE-2024-6387 has this to say: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. The crucial part is the `sshd` part. Git for Windows does distribute the `sshd.exe` binary, but it is in no way used by default, nor is there support how to set it up to run an SSH server. Git for Windows is therefore not affected by this vulnerability, and therefore it is not crucial to get a new version out as quickly as possible. See also my assessment at https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969 I take security very seriously. In some cases that dictates that I do _not_ rush out security bug-fix releases: Too many updates cause update fatigue, with the counterintuitive consequence that too many security bug-fix releases _decrease_ security. Therefore I assess carefully whether or not any given CVE in any given component that is distributed with Git for Windows merits an out-of-band release. The regreSSHion CVE in question does not. Having said that, the next official version is scheduled for July 29th (or soon thereafter): https://gh.io/gitCal. This will contain the OpenSSH version 9.8 that addressed that CVE. If this is not soon enough for you, feel warmly welcome to install the most recent snapshot from https://wingit.blob.core.windows.net/files/index.html; Git for Windows is kept in an always-releasable state, therefore I consider those snapshots to be equivalent to official releases with the only exception that they do not have an official-looking version number (and aren't announced as prominently, either). Ciao, Johannes > Given the popularity and widespread use of Git, it is crucial to ensure > that all included components are secure and up to date. Systems using > the affected versions of OpenSSH are at risk of exploitation, which > could lead to unauthorized access and other serious security issues. > > I would like to kindly request that the OpenSSH version included in the > Git for Windows package be updated to version 9.8/9.8p1 or higher, which > addresses these vulnerabilities. This update will help ensure the > security of all users who rely on Git for their development and > operational needs. > > Thank you for your attention to this matter. Please let me know if there > is any additional information you require. > > Met vriendelijke groet, > > Michel Schoonderwaldt > Senior ICT-specialist technische applicatie- en integratiebeheer | Team Informatiemanagement en ICT | Unit ICT > 046 477 71 96 > > Werkdagen: maandag tot en met vrijdag, 08:30 - 17:00 uur > > Gemeente Sittard-Geleen | www.sittard-geleen.nl<http://www.sittard-geleen.nl/> > Adressen en openingstijden<https://www.sittard-geleen.nl/adressen> > > [cid:image001.png@01DACEEF.84479400]<http://www.facebook.com/sittardgeleen> [cid:image002.png@01DACEEF.84479400] <https://www.instagram.com/gemeentesittardgeleen/> [cid:image003.png@01DACEEF.84479400] <http://twitter.com/sittardgeleen> [cid:image004.png@01DACEEF.84479400] <https://www.linkedin.com/company/sittard-geleen/> [cid:image005.png@01DACEEF.84479400] <http://www.youtube.com/user/sittardgeleenonline> > > [cid:image006.jpg@01DACEEF.84479400]<https://www.sittard-geleen.nl/> > > > -- > You received this message because you are subscribed to the Google Groups "Git Security" group. > To unsubscribe from this group and stop receiving emails from it, send an email to git-security+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/git-security/AM9PR07MB71854BD4C1CE7E517203FFB6B1DF2%40AM9PR07MB7185.eurprd07.prod.outlook.com. > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387 2024-07-10 11:26 ` Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387 Johannes Schindelin @ 2024-07-10 17:10 ` Junio C Hamano 2024-07-10 17:23 ` Dragan Simic 0 siblings, 1 reply; 5+ messages in thread From: Junio C Hamano @ 2024-07-10 17:10 UTC (permalink / raw) To: Johannes Schindelin Cc: Schoonderwaldt, Michel, git@vger.kernel.org, git-security@googlegroups.com Johannes Schindelin <Johannes.Schindelin@gmx.de> writes: > The crucial part is the `sshd` part. Git for Windows does distribute the > `sshd.exe` binary, but it is in no way used by default, nor is there > support how to set it up to run an SSH server. > > Git for Windows is therefore not affected by this vulnerability, and > therefore it is not crucial to get a new version out as quickly as > possible. See also my assessment at > https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969 I think I've seen in the past another inquiry about vulnerability in OpenSSH, which turned out to be irrelevant in the context of Git for Windows for this exact reason (i.e. "sshd" is problematic but "ssh" is OK). Would it make future confusion like this less likely if you stopped shipping the sshd and ship only the ssh client? Thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387 2024-07-10 17:10 ` Junio C Hamano @ 2024-07-10 17:23 ` Dragan Simic 2024-07-22 9:38 ` Johannes Schindelin 0 siblings, 1 reply; 5+ messages in thread From: Dragan Simic @ 2024-07-10 17:23 UTC (permalink / raw) To: Junio C Hamano Cc: Johannes Schindelin, Schoonderwaldt, Michel, git, git-security On 2024-07-10 19:10, Junio C Hamano wrote: > Johannes Schindelin <Johannes.Schindelin@gmx.de> writes: > >> The crucial part is the `sshd` part. Git for Windows does distribute >> the >> `sshd.exe` binary, but it is in no way used by default, nor is there >> support how to set it up to run an SSH server. >> >> Git for Windows is therefore not affected by this vulnerability, and >> therefore it is not crucial to get a new version out as quickly as >> possible. See also my assessment at >> https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969 > > I think I've seen in the past another inquiry about vulnerability > in OpenSSH, which turned out to be irrelevant in the context of Git > for Windows for this exact reason (i.e. "sshd" is problematic but > "ssh" is OK). > > Would it make future confusion like this less likely if you stopped > shipping the sshd and ship only the ssh client? Not shipping sshd.exe would make sense regardless of the associated security issues, because it would prevent accidental enabling of SSH access. Also, if someone wants to make SSHing into their Windows machine possible, I'm pretty sure they won't do that by installing Git for Windows and using the shipped sshd.exe, but by some other means. In other words, not shipping sshd.exe would not only reduce the likeness of hitting some security issues, but would also prevent accidental enabling of SSH access on a Windows machine. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387 2024-07-10 17:23 ` Dragan Simic @ 2024-07-22 9:38 ` Johannes Schindelin 2024-07-23 16:36 ` Dragan Simic 0 siblings, 1 reply; 5+ messages in thread From: Johannes Schindelin @ 2024-07-22 9:38 UTC (permalink / raw) To: Dragan Simic; +Cc: Junio C Hamano, Schoonderwaldt, Michel, git, git-security Hi Dragan, On Wed, 10 Jul 2024, 'Dragan Simic' via Git Security wrote: > On 2024-07-10 19:10, Junio C Hamano wrote: > > Johannes Schindelin <Johannes.Schindelin@gmx.de> writes: > > > > > The crucial part is the `sshd` part. Git for Windows does distribute the > > > `sshd.exe` binary, but it is in no way used by default, nor is there > > > support how to set it up to run an SSH server. > > > > > > Git for Windows is therefore not affected by this vulnerability, and > > > therefore it is not crucial to get a new version out as quickly as > > > possible. See also my assessment at > > > https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969 > > > > I think I've seen in the past another inquiry about vulnerability > > in OpenSSH, which turned out to be irrelevant in the context of Git > > for Windows for this exact reason (i.e. "sshd" is problematic but > > "ssh" is OK). > > > > Would it make future confusion like this less likely if you stopped > > shipping the sshd and ship only the ssh client? > > Not shipping sshd.exe would make sense regardless of the associated security > issues, because it would prevent accidental enabling of SSH access. There is little accidental about starting `sshd` after generating a valid host key. Having said that, `sshd` is not required to run Git, therefore it should not be distributed with Git for Windows. This PR addresses that: https://github.com/git-for-windows/build-extra/pull/571 Thank you, Johannes ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387 2024-07-22 9:38 ` Johannes Schindelin @ 2024-07-23 16:36 ` Dragan Simic 0 siblings, 0 replies; 5+ messages in thread From: Dragan Simic @ 2024-07-23 16:36 UTC (permalink / raw) To: Johannes Schindelin Cc: Junio C Hamano, Schoonderwaldt, Michel, git, git-security Hello Johannes, On 2024-07-22 11:38, Johannes Schindelin wrote: > On Wed, 10 Jul 2024, 'Dragan Simic' via Git Security wrote: > >> On 2024-07-10 19:10, Junio C Hamano wrote: >> > Johannes Schindelin <Johannes.Schindelin@gmx.de> writes: >> > >> > > The crucial part is the `sshd` part. Git for Windows does distribute the >> > > `sshd.exe` binary, but it is in no way used by default, nor is there >> > > support how to set it up to run an SSH server. >> > > >> > > Git for Windows is therefore not affected by this vulnerability, and >> > > therefore it is not crucial to get a new version out as quickly as >> > > possible. See also my assessment at >> > > https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969 >> > >> > I think I've seen in the past another inquiry about vulnerability >> > in OpenSSH, which turned out to be irrelevant in the context of Git >> > for Windows for this exact reason (i.e. "sshd" is problematic but >> > "ssh" is OK). >> > >> > Would it make future confusion like this less likely if you stopped >> > shipping the sshd and ship only the ssh client? >> >> Not shipping sshd.exe would make sense regardless of the associated >> security >> issues, because it would prevent accidental enabling of SSH access. > > There is little accidental about starting `sshd` after generating a > valid > host key. Well, I don't know what and how Git for Windows does regarding the host key generation, so the possibility of accidental starting the shipped sshd.exe may actually be quite low. > Having said that, `sshd` is not required to run Git, therefore it > should > not be distributed with Git for Windows. This PR addresses that: > https://github.com/git-for-windows/build-extra/pull/571 Interestingly, that pull request shows that some people actually use(d) the shipped sshd.exe, which just shows that nearly every change will inevitably break somebody's workflow. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-07-23 16:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <AM9PR07MB71854BD4C1CE7E517203FFB6B1DF2@AM9PR07MB7185.eurprd07.prod.outlook.com>
2024-07-10 11:26 ` Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387 Johannes Schindelin
2024-07-10 17:10 ` Junio C Hamano
2024-07-10 17:23 ` Dragan Simic
2024-07-22 9:38 ` Johannes Schindelin
2024-07-23 16:36 ` Dragan Simic
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).